Applying Mitre ATT&CK To OSINT
How to apply the Mitre Pre-ATT&CK model to open source intelligence (OSINT).
How to apply the Mitre Pre-ATT&CK model to open source intelligence (OSINT).
Every week there seems to be a new breach, scam, attack of some kind affecting the threat landscape. These breaches and attacks range in terms of impact, but they all share certain commonalities, the biggest of which is that they all proceed through a logical, organized process. The first step of this process (indeed any process) is invariably open source intelligence gathering and analysis, even so much so that Lockheed Martin names that as the first step in its relatively definitive framework known as the Cyber Kill Chain.
How does this intelligence gathering and analysis process work? Where do attackers find their information and how to they use it? Mitre has organized these steps into what they called the ATT&CK framework, an operational-level view of the tactics, techniques, and procedures (TTPs) used not only to gather and analyze intelligence, but to inform security teams the methods with which they can be aware of, and potentially mitigate, those TTPs.
The kill chain, as originally developed by Lockheed Martin, is general course of action used in a cyber attack. It is divided into seven steps:
It is the first step, reconnaissance, where any given attacker is most likely to spend the majority of his or her time. After all, most cyber attacks begin as some form or other of social engineering or intelligence gathering, thus requiring the attacker to collect and analyze detailed information on his targets in order to gain access to their systems.
The Mitre Pre-ATT&CK framework details the operational level of this reconnaissance phase, breaking it down into two broad, three-part categories – information gathering and analysis/weakness identification. The three sections of the information gathering category are mirrored in the analysis category.
These sections are:
Once an attacker has decided on a target, he or she cannot blindly launch an attack. First, he or she must understand the type of systems employed by the individual or organization (Technical), the personnel at the organization (People), and the organization itself (Organizational), at which point he or she must analyze this information to determine weaknesses.
Virtually all of this information gathering can be completed using OSINT tools and techniques.
Technical information gathering is, well, just that – gathering information on an organization’s technical resources. This includes active scanning, passive scanning, determining 3rd party infrastructure, understanding domain and IP address spaces, enumerating network trust dependencies, building email address formats, identifying defensive capabilities, and collecting technology usage patterns.
Much of this information is, by its very nature, free and open to discovery across the internet, primarily due to the fact that the internet itself requires this information to function (IP/domains, trust dependencies, versions, languages and dependencies of web apps, etc.). However, some of the information requires more active approaches.
As a general rule, if the information is freely available online, there is no way of knowing if an attacker is attempting to get that information, whereas the more active the attacker has to be in collect the information, the easier it is for the defender to identify the attacker’s attempts.
This does not mean all is lost, however, as we will see below.
With the explosion of social media and personally identifiable information clearing house sites, collecting information on people is now easier than ever before. This information can range from personal information about a person, to understanding their relationships (both personal and business) to identifying groups and the individuals’ specific roles within those groups.
With a little deductive reasoning, an attacker can take largely disparate piece of information about several individuals and paint a clear picture of an organization. In fact, according to the Pre-ATT&CK framework itself, there is considerable overlap on the types of information gathered for each of the technical, people, and organizational sections.
Indeed, using multiple sources, an attacker can learn all kinds of information.
Take the following example: an attacker uses LinkedIn to determine a list of all regional managers within a specific department. He then contacts the company’s HR call center to ask about those individuals (who reports to them and to whom they report). But, he is first asked to provide is employee ID number. So he begins searching for any sort of clue that would give him a name and associated ID number, before calling again and then getting the information he wants.
This example has combined several instances of social media mining and straightforward phishing techniques, and now the attacker has detailed information he can use in his attack.
How can an organization prevent the discovery of this information?
Well, besides the obvious measure of more robust checks at the call center, there isn’t much the organization can do short of ordering all employees to take down all social media and other online presences, which is not possible in the modern era. Rather, the organization should understand their digital footprint it and its personnel display publicly on the web and make their own deductive conclusions about how that information may be used by a potential attacker. This can assist in identifying patterns and trends, as well as possible targets, for any potential attack.
To return back to the Mitre ATT&CK framework, the second stage of the reconnaissance phase is the analysis/weakness identification phase. Using all of the information collected in the information gathering stages, the threat actor can now analyze this information until he or she is confident that he or she can develop a plan of attack that is most effective while maintaining the highest levels of operational security.
Essentially, this stage is not much more than research and analysis into the collected information. Perhaps most importantly, it is this stage in which an attack is most likely to test his or her own systems for signatures and other artifacts that may later be used during the investigation to attribute back to the attacker.
Virtually none of the tactics employed in this stage are identifiable or visible to a security team, primarily due to the fact that the attack is working with previously gathered information. In order to foil an attack that has already progressed to this stage, the Pyramid of Pain model would be an appropriate framework, though that is outside the scope of this article.
Being proactive in understanding your organization and its personnel’s digital footprints is part of a process known as intelligence driven defense (IDD). It is important to know what a threat actor is collecting about your personnel and organization. Knowing what information is out there from perspective of a threat actor will help your team understand where potential weaknesses lie and how to be ready in case an attacker attempts to exploit those weaknesses. More importantly, there are many tactics security teams can employ to make threat actors work a lot harder and slow them down.
Use DigitalStakeout Scout to monitor and detect non-essential footprint and exposures. DigitalStakeout will help you understand how to take steps to reduce your digital exposure in a manner that does not prohibit your employees and organization to thrive in a digital driven world and economy.